Bessacarr Primary School has an obligation to collect and process information about people with whom it deals. These include pupils, current, past and potential employees, suppliers and clients/customers of services provided to and by the School.
The principles of the Data Protection Act make it mandatory for the School to take appropriate measures to ensure personal data is processed fairly and lawfully and with due regard to the sensitivity, confidentiality and security of the information.
This policy identifies the main principles of the Data Protection Act 1998 that must be adhered to when processing personal information.
It applies to ALL members and officers of Doncaster Metropolitan Borough Council.
The aims of the policy are to:
- ensure that all members and officers of Doncaster Metropolitan Borough Council are aware of the principles of the Data Protection Act 1998
- define the criteria and controls that must be applied throughout the Authority to ensure the data protection principles are implemented and adhered to
- identify the responsibilities of members and officers in complying with the principles of the Data Protection Act 1998.
It is necessary to define the terms to be used and, for the purposes of this policy, they are as follows:
Processing means obtaining, recording or holding the data or carrying out any operation or set of operation on the data. It includes organising, adapting and amending the data, retrieval, consultation and use of the data, disclosing and erasure or destruction of the data. It is difficult to envisage any activity involving data that does not amount to processing.
Personal Data means data that relate to a living individual who can be identified from those data and other information that is in the possession of, or is likely to come into the possession of, the data controller.
Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Specifically, the principles of the Data Protection Act 1998 require that personal information:
- shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
- shall be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- shall be accurate and, where necessary, kept up to date
- shall not be kept longer than is necessary for the purpose or purposes
- shall be processed in accordance with the rights of data subjects under the Act
- appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Bessacarr Primary School must, through appropriate management, apply the following criteria and controls in order to comply with the principles of the Data Protection Act 1998:
- observe fully the conditions regarding the fair collection and use of personal data
- meet its legal obligations to specify the purposes for which information is used
- collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- ensure the quality of information used
- apply strict checks to determine the length of time information is held
- ensure that data subjects are able to fully exercise their rights under the Act. These include:
- the right to be informed that processing is being undertaken
- the right of access to their personal information
- the right to prevent processing in certain circumstances
- the right to correct, rectify, block or erase information which is regarded as being incorrect
- take appropriate technical and organisational security measures to safeguard personal information
- ensure that personal information is not transferred abroad without suitable safeguards.
It is the responsibility of all Governors and employees of Bessacarr Primary School to ensure that:
- everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice
- everyone managing and handling personal information is appropriately trained to do so
- everyone managing and handling personal information is appropriately supervised
- anyone wanting to make enquiries about handling personal information knows what they should do
- queries about handling personal information are promptly and courteously dealt with
- methods of handling personal information are clearly prescribed
- a regular review and audit is made of the way personal information is managed
- methods of handling personal information are regularly assessed and evaluated
- all data protection and security of information policies and procedures are understood, implemented and adhered to.
Details and advice about the Act can be found on the Information Commissioner’s website at www.informationcommissioner.gov.uk
This policy was ratified in March 2011. It will be reviewed annually.
Review Date: Reviewed by:
March 2012 Sarah Davies and Roni Chapman